On one hand there is no need to ask for password confirmation because it is annoying. If I made a mistake when confirming my password I'll need retype my very complex password again. There is also a button that can show/hide the password so I don't need retype it in order to confirm it.

However, some users don't use the password show/hide button and the 'forgotten password' option will be pain for them.

Twitter removed the password confirmation from registration but left the dual confirmation in place for changing password. Is this right approach?

3 Answers
3

Password confirmation might be useful to bring out the mistake that user might make in typing his password first time. Suppose, user typed some password but it is different from what he is intending to type (this might be because of unintentionally pressing wrong key). This can be brought out if confirmation password is not matching the actual password. But it is true that, user might make same mistake in typing both the passwords and in such case, the mistake will not be known till he tries to login next time.

There are occasions where it would not be advisable to show a password in plain text. Arguably, it's probably unwise to be using a passworded application in those situations, but that's beside the point.

One potential solution I have seen used is to have both the Show/Hide checkbox and a second field. If the password is hidden, force it to be reentered; if it is shown, it doesn't need to be confirmed [and the second field might be disabled].